Network Users Protect Selves, Change Defaults and PasswordsEric Richard
Second in a series dealing with security and privacy issues of MITnet.
Because of the dangers of allowing remote access to machines, network users at MIT need to be careful when configuring their systems in order to avoid compromising the security of their machine.
"Being on the net can be dangerous, though it is fairly easy to close the big security holes if network users become informed," said Matthew K. Gray '95, former chairman of the Student Information Processing Board, a student group which provides assistance to computer users.
"There are a lot of ways a person can potentially access your computer, including [the File Transfer Protocol], Appleshare, [Simple Mail Transfer Protocol], telnet, and numerous other network services that are often run by default" when a computer starts up, Gray said.
These common programs allow users access to various network services from their computer. In addition, programs like FTP, telnet, and Appleshare servers are designed to allow outside users to connect to and access files on a machine.
While it is virtually impossible to assure that any computer connected to the network is completely secure, educated and responsible users can minimize their risk, Gray said.
"The only way to be completely secure is to unplug your machine and lock your door," Gray said. "The real objective is to close the big security holes."
Dangerous default settings
"Many default setups allow other users on the Internet full access to all files on your machine," Gray said. "Be sure that your setup prevents access to copyrighted software and all other files that you wish to keep private."
"Macintosh users have to be more careful" than users of IBM compatible computers, said East Campus Residential Computing Consultant Srikar Srinath '94.
The file sharing option on Macintosh computers is not automatically on, added Rupert C. Young '94, an RCC for MacGregor House. This means that no outside users can access the machine unless the machine's owner specifically turns file sharing on.
But a user can easily open his hard drive to the world with a wrong click of the mouse, Srinath said.
Once file sharing is activated, it allows outside users to connect via a guest account which does not require a password, Young said. The default permission for the guest account allows the user to connect and read or write any program, file, or folder on the computer.
If users use the default permissions for the guest account, anyone can log in and delete their entire hard drive, Srinath said. He added that he has found more than 15 Macintosh machines connected to MITnet that allow guests to access their hard drives.
For both Appleshare and FTP servers, Gray said, "Make sure your ... setup does not allow other users to retrieve files that you do not intend them to or to write to your drive."
Srinath added that users can check the security of their computer by trying to access it from a friend's computer.
Another common mistake is not requiring a password to access FTP, telnet, or Macintosh Appleshare servers, Gray said.
Although many public FTP or telnet programs allow accounts with passwords and explicit directory permissions, users commonly do not require a password for these accounts, according to Young. Hence, any other user can connect through that account without providing a password.
Also, "if you are running a machine and you pick a bad password," you have potentially compromised the security of all the data on that machine, said Michael L. Barrow '93, consultant for Distributed Computing and Network Services.
"The security of a user's data is based on that user's password," said Professor Steven R. Lerman, chair of the Academic Computing Council. "If the user selects a simple password or gives his or her password to someone else, there is no real security."
When the owner's account is compromised, an outside user would have full access to the machine, including permission to change the owner's password and delete any file.
Another common user error is allowing outsiders to access copyrighted software, Gray said.
"Some setups allow other users on the Internet full access to all files on your machine," Gray said. "Be sure that your setup prevents access to copyrighted software and all other files that you wish to keep private.
"There have been a couple cases [of users allowing access to copyrighted software] and we asked them to turn them off. ... To my knowledge, we have never had to go further than that." Barrow said. "They could have been accidental. Maybe one was on purpose."
"We try to say, `Look, you should probably turn that off before some one else sees it. You could go to jail,' " Barrow said.
Because FTP allows access from users anywhere on the Internet, access to copyrighted software is a particular concern for users running FTP servers, Young said. "There is no restriction on who can potentially FTP to your machine."
During a recent search of Macintosh computers with disks on Appleshare, reporters from The Tech found several sites at which copyrighted software was accessible.
In particular, the Appleshare site for one student activity group allowed complete read and write access to their system. Among the software available was Aldus Pagemaker, Microsoft Excel, Microsoft Word, and Quarkxpress. One of the students maintaining the site said that the access was an accident and changed it immediately.
"[Information Systems] does not actively look for computers with publicly available copyrighted software or glaring security holes," Barrow said. "We are not a law-enforcement agency; we are not going to police things."
"All we can do is tell you to clean it up," Barrow said. However, Barrow warned that if outside organizations such as the Software Publishers Association or the Federal Bureau of Investigation find users offering copyrighted software, "something bad can happen to you."
"I think there is a real fine line between what you consider giving people software and having something there for your friends to use," said Luis A. Uribarri II '95. As of last Wednesday, Uribarri's Appleshare server allowed users to access both Simcity and Simworld.
Another Appleshare site had the following copyrighted programs publicly accessible: Simcity, Spectre Supreme, The Leather Godesses of Phobos, and Zork I. The owner of the Appleshare server, Daniel R. Risacher '95, refused to comment.
Barrow warned students not to take the issue of providing copyrighted software lightly. "People think that it is a game. ... It is not a game. People have to understand that this is serious stuff."
Education is key
Gray emphasized the need for users to take the time to educate themselves about how to properly configure their systems. "Spend an hour making sure your machine is secure, or spend a week rewriting a term paper that some bonehead in Sweden erased for you," Gray said.
"On a Macintosh, read all your documentation on Applesharing," Gray said. "If you are setting up a Linux box, talk to people in SIPB to make sure it is set up right. If you are running a DOS machine with an FTP server read the documentation."
Gray also suggested that students ask their RCCs or members of SIPB if they had questions about security issues.
"Theoretically, it would not be hard to have your machine unintentionally set up such that anybody on the Internet could erase your entire hard drive," Gray said. "On the other hand, it is also easy to prevent this."
"Some level of paranoia is good, especially if you have sensitive stuff on your machine," Srinath said.
(Ifung Lu contributed to the reporting of this story.)